Did Sony Fib? PSN ‘Hackers’ Claim Over 2 Million Credit Cards Stolen

Uh-oh, did hackers make off with your financial data in Sony’s PlayStation Network fiasco after all?

Sony recently claimed it was pretty sure–though not hermetically certain–that whoever poked around its PlayStation Network between April 17th and 19th didn’t make off with credit card data. Personal info like names, addresses, and birth dates, yes, but the company said the credit card data was encrypted and didn’t include card security codes.

Now the New York Timesreports that security researchers have witnessed chatter on “underground” message boards (sounds so clandestine, no?) suggesting hackers may have pinched piles of PSN member credit card numbers after all–as many as 2.2 million. Ruh-roh!

The security experts were unable to verify the claims (which could of course involve a bunch of jokers playing the “you pay me, then I send you” game), but senior researcher Kevin Stevens at Trend Micro told the Times the hackers were peddling the card database for upwards of $100,000, and that one admitted trying to sell the list back to Sony (Sony reportedly didn’t respond).

“The hackers that hacked PSN are selling off the DB,” said Stevens in a tweet. “They reportedly have 2.2 million credits cards with CVVs.”

When the Times asked Sony spokesperson Patrick Seybold about the matter, Seybold said he wasn’t aware of an “opportunity to purchase the list,” and reiterated Sony’s claim that the credit card data table was encrypted, that it didn’t store card security codes, and that the company had no evidence card data was compromised.

But security consultant Mathew Solnik with iSec Partners says his company’s hearing the hackers actually infiltrated the PSN’s master database, which he says “would have given them access to everything, including credit card numbers.”

And The Guardiansays some PSN members are now reporting instances of fraud, though noting (correctly) that the timing could be coincidental given the population size of the breach–77 million members in all.

Don’t assume any of this amounts to much yet, as nothing’s been verified.

“This #PSNHack is turning into a bunch of FUD [****ed up disinformation], it really is,” noted Trend Micro’s Kevin Stevens in a tweet this morning. “I posted up what I saw to warn people, not to incite the masses to create FUD.”

Eagle eye your financials to be safe, but don’t panic and phone-game what’s still unknown, in other words.